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This  report  summarizes  the  work  done  under  this  contract  in  the  context  of  the  long-term  research  plan 
described  in  [14].  That  paper,  which  was  formulated  under  the  auspices  of  this  contract,  outlines  a  plan 
for  the  development  of  Rose,  an  applicative  language  based  on  a  formal  logic  with  powerful  mechanical 
proof  assistance.  We  report  here  the  progress  to  date  on  Rose,  including  our  related  efforts,  following 
fairly  closely  the  outline  of  the  Research  Plan  [14].  The  first  two  sections  of  the  Research  Plan, 
Introduction  and  Historical  Foundations,  provide  additional  background  on  our  perspective;  we  omit 
them  from  our  outline  here,  however.  Instead,  we  include  a  brief  summary  of  our  study  of  related  work  in 
the  first  section  below. 

We  should  mention  that  Rose  will  grow  out  of  the  existing  computational  logic  of  Boyer  and  Moore, 
described  in  [6, 7, 8).  Indeed,  we  identify  the  current  version  of  the  Rose  language  and  logic  with  the 
current  Boyer-Moore  computational  logic. 


1  Study  of  Related  Work 

During  the  second  quarter  of  1985,  we  participated  In  a  cbse  up  evaluation  of  three  other  major 
verification  systems  (along  with  our  own  Gypsy  system):  GE’s  Affirm,  SDC’s  Ina  Jo/FDM,  and  SRI's 
Revised  Speciat/HDM.  A  week  long  visit  was  in  fact  made  to  each  of  these  sites  to  study  and  use  the 
local  verification  system  and  to  discuss  future  verification  directions  with  the  local  developers.  The  results 
of  these  visits  are  described  in  a  sequence  of  Internal  Notes  [11,12, 13].  The  entire  effort's  conclusions 
appear  in  the  The  Kemmerer  study  report  [19]. 


^>2  Mechanizing  Rose  Logic 

^  Our  goal  is  to  develop  an  economical  technology  for  building  proved  computing  systems  with 
mechanized  formal  logic.  The  unifying  element  of  this  technology  is  the  functional  language  Rose  which 
we  are  designing.  Rose  embodies  a  powerful  formal  logic,  and  it  also  is  an  executable,  functbnal 
programming  language.  Thus,  potentially.  Rose  provides  a  single,  unified  fomnalism  that  can  express 
both  hardware  and  software  systems  and  their  specKications  and  requirements. 

In  the  long  term,  with  the  development  of  parallel  architectures  and  optimizing  compilers  that  exploit 
theorem  proving,  we  believe  that  functional  programming  languages  will  be  useful  across  a  wide  variety  of 
tasks.  In  the  intermediate  term,  we  intend  that  Rose  be  convenient  for  software  applications  such  as 
encryption  boxes,  flow  modulators,  message  servers,  etc.-v  These  are  the  applications  areas  in  which 
Gypsy  commonly  is  used  today.  In  the  short  lemi.weJniend  that  Rose  be  a  convenient  language  in 
which  to  specify  and  prove  properties  about  vtm  Neumann  computing  systems. 

^  The  purpose  of  this  phase  of  our  work  is  to  mechanize  the  Rose  logic  so  that  it  can  be  used  extensively 
and  economicaliy  in  all  of  the  previous  kinds  of  activities.  We  win  do  this  by  increasing  the  power  of 
current  Boyer-Moore  logic  and  Us  theorem  ptover.  by  defining  the  Rose  language  which  embodies  the 
expanded  logic  and  presents  k  in  a  more  conventional  and  familiar  notation,  and  by  implementing  a 
life-cycle  support  system  for  Rose  that  supports  the  development  and  maintenance  of  large  collections  of 
Rose  functions,  theorems,  and  proofs. . 

V 


2.1  Rom  Logic 

Rose  logic  wW  ukimately  be  current  Boyer-Moore  logic  extended  to  include 

1 .  quantification  over  finke  domains, 

2.  a  simulation  of  functions  as  first-class  obiects, 

3.  partial  recursive  functions. 

Much  research  has  already  been  carried  out  by  Boyer  and  Moore  [8]  to  support  these  modifications. 

An  experimental  version  of  the  theorem  prover  supportino  quantkicMion  over  finke  domains  and  partial 
functione  exists,  and  k  is  being  tested.  The  steps  necessary  to  release  k  for  wide-spread  use  are: 
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1 .  convince  ourselves  and  our  peers  that  the  modified  logic  is  consistent, 

2.  convince  ourselves  and  our  peers  that  the  modifications  made  to  the  released  version  of  the 
theorem  prover  are  correct,  and 

3.  write  the  manual  for  the  new  logic  and  theorem  prover. 

To  these  ends,  a  report  on  the  extended  Boyer-Moore  logic  and  theorem  prover  has  been 
completed  [8].  A  draft  of  a  detailed  user’s  manual  has  also  been  completed  {5],  describing  not  only  the 
basics  of  using  the  theorem  prover  but  also  containing  m^ny  helpful  tips  for  using  it  efficiently.  It  also 
serves  the  role  of  being  a  reference  guide  for  the  logic  as  it  currently  exists. 


2.2  Rose  Language 

As  mentioned  above,  the  current  Rose  logic  is  the  existing  Boyer-Moore  logic.  What  we  desire  is,  at 
the  least,  a  more  conventional  and  familiar  notation  for  Rose  logic  than  the  Lisp  notation  that  presently  is 
used  in  ^yer-Moore  logic. 

But  the  Rose  language  will  evolve  from  the  current  Boyer-Moore  logic  in  other  ways  besides  sugaring 
the  syntax.  For  example,  we  expect  Rose  to  contain  mutual  recursion  and  (more  generally)  a  relaxation 
on  the  current  Boyer-Moore  restrictions  on  the  order  of  definitions.  We  also  anticipate  the  inclusion  of 
name  space  oortfrol  (scopes),  a  simulation  of  functions  as  first-dass  objects,  type-checking,  and  kerative 
forms  and  partial  functions  such  as  those  already  existing  in  the  experimental  new  version  of  the  Boyer- 
Moore  logic  and  prover  [8]. 

In  order  to  aid  the  development  of  the  Rose  language,  a  formal  semantic  definition  of  the  language 
Micro  Gypsy  (discussed  below)  was  developed  in  an  experimental  Rose  syntax  (15).  This  definition  is  the 
basis  (or  proving  the  correctness  of  the  Micro  Gypsy  compiier.  In  addition,  the  type  mechanism  in  the 
Rose  language  was  investigated  by  considering  the  difficulty  of  expressing,  in  Rose,  the  algorithms  (or 
checking  the  well-formedness  of  Micro  Gypsy  expressions  (22). 


2.3  Rose  Support  System 

An  experimental  window-based  interface  to  the  Boyer-Moore  prover  was  developed  for  Symbolics  Lisp 
Machines  [2].  Although  we  expect  to  redesign  this  interface.  Rs  development  provided  valuable 
experience. 


2.4  Document  Management 

Preliminary  investigation  was  made  into  the  design  of  a  Rose  Development  System.  This  system 
would  maintain  consistency  among  related  documents  such  as  source,  object,  manuals,  and  so  on.  So 
far.  the  most  promising  approach  to  document  management  that  we  have  dboovered  is  the  Neptune 
hy^rtext  system  [9]  being  developed  by  Tektronix  to  support  CAD  (Computer  Aided  Design)  and  CASE 
(Computer  Aided  Software  Engineering)  systems.  More  thoughts  on  this  matter  may  be  found  in  the 
Research  Plan  [14]. 


2.5  Theory  Management,  Reusable  Theories 
Some  thought  has  been  c^en  to  implementing  a  Nerarchical  R>rary  structure  that  allows  one  to  merge 
theories.  This  turns  out  to  be  a  somewhat  compRcated  Issue  in  the  setting  of  the  ounenl  Boyer-Moore 
system,  but  we  believe  such  an  improvement  U>  be  feasltle.  We  have  found  R  (|uRe  helpful  to  reuse 
theories  -  for  example,  we  have  Itoraries  of  arithmetic  facts  and  (acts  about  subsets  that  have  been  used 
more  than  once  -  and  a  hierarchical  Rirary  stnicture  would  encourage  more  theoiy  reuse. 


t 
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2.6  A  '*Siiiart'*  Blackboard 

We  imagine  the  user  deveioping  a  system  and  its  proof  in  a  medium  as  flexible  as  a  blackboard  but 
which,  unlice  a  blackboard,  is  active  and  is  capable  of  manipulating  the  formulas  inscribed  on  it  as  well  as 
following  the  arguments  about  them.  We  already  mentioned  the  White  Rose  interface  above,  which  is  an 
early  step  in  this  direction.  In  addition,  an  interpreter  has  been  developed  which  includes  a  trace  and 
break  package  as  well  as  a  user’s  guide  and  technical  documentation  |i,  3].  (We  are  wen  aware  that 
executability  is  extremely  important  in  the  deveiopment/acquisition  of  specifications.)  Another  feature  of 
this  electronic  blackboard  should  be  a  convenient  means  tor  querying  the  Boyer-Mo^  database.  Some 
recent  additions  made  to  the  system  for  this  purpose  are  documented  in  Chairter  12  of  (5]. 


2.7  Building  Trusted  Systems 

The  mechanized  logic  whose  development  is  descrtoed  above  wW  be  used  in  building  a  variety  of 
trusted  systems.  As  the  power  of  the  Rose  system  evolves,  proofs  of  both  von  Neumann  and  functional 
oomputir^  systems  will  be  oonstrocted.  Conversely,  use  of  the  system  will  provide  important  feedback 
into  the  development  of  the  Rose  logic,  language,  and  support  system. 

The  applications  of  Rose  that  we  foresee  include  the  foflowing; 

•  a  formal  definition  of  the  Rose  language, 

•  a  formal  definition  for  a  subset  of  Ada. 

•  a  formal  definition  of  the  Micro  Gypsy  language. 

•  a  formal  definition  of  the  FM8501  assembly  language. 

•  a  formal  definition  of  FM8S01'  (a  successor  to  FM8S01) 

•  a  proof  of  correctness  of  a  Micro  Gypsy  oompHer  to  FM8S01  (andFMSSOl’), 

•  a  proof  of  correctness  of  a  Micro  Gypey  nirvdme  executive  for  FM8501 

•  a  proof  of  oorrectnns  of  an  FM8501  (and  FMasoi*)  assembler. 

•  a  proof  of  correctness  of  a  Rose  compiler, 

•  a  proof  of  correctness  of  a  Roes  proof  chedror. 

The  remaining  sections  below  report  our  progress  toward  proving  correclness  of  von  Neumann 
systems  and  functional  systems,  rsspMdvely. 


3  Proving  von  Nouirainn  Systomo 

Work  proceeded  toward  the  goal  of  producing  a  vartlas<ywsrfltetfajatom,l.e.  a  system  which  has  been 
proved  correct  from  toe  high-level  language  torough  tot  operating  system  and  down  to  toe  hardware 
level.  The  paper  (4]  desertbes  tois  work  in  seme  dstel.  There  are  tores  oomponenis  to  our  vertically 
verified  ^em:  toe  machine  (inckidtog  toe  hardware  and  asssmbisr),  toe  operating  system,  and  the 
systems  programming  language  (Including  a  cornpler  and  a  parser).  The  hardware,  operating  system, 
and  com^  are  independent  doctoral  dksertadon  rsesarch  proiecis;  toe  loiter  two  of  toese  are  works  in 
progress.  We  discuss  these  afl  In  turn  betow,  excepting  toe  asssmbisr  (which  Is  work  in  progress  under 
other  support).  Once  toe  torse  oomponente  are  oomploted.  tosfr  Integratfon  ino  a  ain^  system  can 
proceed. 

Figure  1  is  taken  from  toe  paper  (4).  and  Busirates  our  plan  to  achievs  vertical  vsrfllcallon.  A  qufle 
thorough  explanalion  of  tois  kmdomenial  dtegram  may  be  tound  In (4);  hare  Is  a  summom.  Conskterfor 
example  the  bottom  paraflelogram  of  tois  flgurs.  There  Is  a  nodon  of  an  abstaer  FMIMI  state,  Le.  a 
state  M  seen  at  toe  level  of  toe  machine  btelruolien  SSI.  There  Is  ateo  toe  nodon  of  a  cenotefe  FMMOl 
state,  1.0.  a  state  as  seen  at  the  level  of  state  hoMtog  tfto^jpflfldWjflOfWWftodenal  logic;  this  oonslsis  of  an 

flDtirsci  sw#  (a  pnpjpnpivfiPnMPOW  Mn|  lOpMipr  wvn  VI  MOT*  iwiv  mai  ona  MM 
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with  an  abatrad  atata,  at  raprtaanlad  by  tha  FM8501  box  on  tha  lift  tida  of  tha  figura.  Tha  downward 
arrow  from  that  box  raprasantt  tha  rasutt  of  "oomplaiing*  thit  abatract  atata  to  an  approprida  concrata 
atata.  Tha  laft-to-right  arrow  from  tha  FM8S01  box  rapraaanta  tha  "abatract  run*  of  a  givan  nunnbar  of 
inatruction  atapa  on  that  atata,  whila  tha  arrow  baiow  it  rapraaanta  tha  "concrata  nin"  of  a  corraaponding 
(iarger)  numbar  of  inatructiona  on  tha  corraaponding  concrata  atata.  Tha  upward  arrow  on  tha  lowar  right 
completes  the  diagram,  which  means  roughly  that  if  one  takas  tha  concrata  state  resulting  from  tha 
"concrete  mn*  and  abstracts  from  it  a  corresponding  abstract  state,  than  tha  result  is  tha  abstract  state 
resulting  from  the  "abstract  njn". 


3.1  Hardware 

We  have  designed  and  proved  a  microprocessor,  called  tha  FM8501.  a  conventional  von  Neumann 
angina  of  roughly  tha  complexity  of  a  PDP-1 1 . 

FM8501  is  a  complete,  stand*alona  microprocessor  with  a  symmetrically  organized  instruction  sat.  Its 
features  include: 

•  16-bit  general  purpose  processor 

•  word  addressing  yielding  a  64K  word  (128K  t^a)  memory  size 

•  eight  general  purpose  ragistars  (one  also  being  tha  program  counter) 

•  16-bit  instructions 

•  register-ragister,  ragistar-memory,  or  memory-memory  operation  Is  allowed  with  all 
instructions 

•  two-address  instruction  format 

•  register,  register  indirect,  register  indiract  with  post-incramant.  or  registar  indiract  with  pra- 
decramanl  addressing  mode  are  individualy  supported  for  both  operands  for  aN  instnjctions 

•  ganaral-purposa  conditional  move  instruction 

•  Boolean,  natural  numbar,  and  integer  oparationai  specification 

•  separata  ALU  for  affective  address  generation 

•  memory  mapped  I/O 

•  compact  functional  description 

FM8501  is  a  micro-oodad  device.  Tha  microooda  is  used  to  control  Instniction  decoding  and  iniamai 
data  movement.  A  separata  ALU  is  used  for  aflactiva  address  calculationa.  increasing  tha  performance  of 
tha  microprooassof . 

Al  ragistars  may  be  used  as  index  registars  or  as  software  stack  poMara.  Four  statue  bks- carry  (C). 
ovarfiow  (V),  nagativa  (N).  and  zero  -  can  be  oonttiiionaity  sat  by  every  instruction.  FM8501  can 
access  2*16  memory  loeatione.  each  one  word  (16-btis)  in  size;  FM8501  can  dkeotly  manipulate  128K 
Bytes  of  memory. 

M  FM8501  instnictione  are  one  word  (16-bits)  In  size.  Every  inatnidion  apedllaa  a  aouioa  and  a 
destination  location,  each  of  which  is  either  in  a  rsgMer  or  in  memory.  Instnictions  for  tha  FM8501 
specify  two  kinds  of  information:  the  operation  to  be  performed  and  the  tocalion  of  the  operands  on  which 
the  operation  is  perfomwd.  Every  instniciion  has  a  source  and  a  destination.  N  two  aouroes  ate  required 
the  destination  operand  serves  as  the  other  source  before  being  modMad  (i.e..  FMMOl  has  a  two- 
address  architaclure).  Because  there  are  no  special  insinjctions  for  I/O,  Inputtoutput  davioas  are 
oonnaeied  to  FM8501  as  memory  devices  (mamorjHnapped  I/O). 

We  have  proved  the  FM8501  in  the  fOlowing  sense.  The  apeoMcation  of  the  machine  Is  an  Instniction 
Merpretar  for  ha  machine  language.  The  Merpretor  la  daflnsd  as  a  aaV-recurakre  function  whh  each 
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racurtion  oorrMponpIno  to  a  single  stats  trwition.  This  intsiproter  formally  specMies  the  effect  of 
executino  each  possttle  Instniction  and  may  be  thought  of  as  a  foi^  version  of  a  programmer's  manual 
for  the  device.  The  implementation  of  the  FM8501  is  a  gate  graph  contain^  about  1 700  Boolean  gates, 
not  counting  those  necessary  to  Implement  registers,  latches,  memory,  etc.  We  have  mechanically 
proved  that  the  gate  graph  locally  implements  the  instojction  interpreter. 


3^  Tha  Separation  Kamel 

Implemeniing  the  Rose  njntime  support  software  in  Micro  Oypey  requires  multi-tasking.  We  are 
working  on  the  proof  of  correctness  of  a  small  multi-tasking  operating  system  designed  for  a  simple  von 
Neumann  computer.  The  verification  of  the  operating  system  includes  two  kinds  of  properties: 

•  Task  isolation.  We  prove  that  the  operating  system,  ninning  on  a  single  hardware  processor, 
simulates  a  fixed  number  of  isolated  parallel  tasks. 

•  Correctness  of  operating  system  services.  The  operating  system  provides  the  followir^ 
senrices  not  provided  by  the  bare  target  machine:  message  passing  among  tasks,  and 
character  I/O  primitives  to  asynchronrxjs  devices. 

The  statement  of  the  problem  requires  the  deffoition  of  three  machines:  a  task,  an  abstract  operating 
system,  and  the  target  machine  on  which  the  operating  system  will  run. 

A  task  Is  modeled  as  a  single  address  ^)ace  of  the  target  machine,  phis  foe  shared  resources 
necessary  to  implement  communication  with  other  tasks  and  devices.  This  model  ensures  that  a  task's 
address  space  is  isolated  in  the  sense  that  no  other  task  can  perform  a  transition  on  it. 

The  abstract  operating  system  specHies  an  operMing  system  which  manages  a  fixed  number  of  tasks. 
The  functionality  specified  for  this  operating  system  includes  a  raund-robin  scheduler,  an  error  trap 
routine,  I/O  interrupt  handlers,  and  supervisor  senrice  handlers  for  message  passing  and  I/O. 

The  target  machine  is  a  two-state  machine  (s^iervisor  and  user  modes)  with  I/O  Memipls  and  with 
memory  protection  provided  by  base/Umit  refiners.  The  instruction  set  and  addresstog  modes  are 
conventionat.  resembling  a  subset  of  the  capifoilities  of  a  PDP-11.  The  operating  system  which  is 
ultimately  verified  is  written  in  the  macNne  code  this  target  machine. 

The  correctness  proof  of  the  operating  system  takes  two  steps.  First,  we  prove  foat  foe  abstract 
operating  system  kriplements  a  syMem  of  parallel  processes.  This  conectness  theorem  states  that  any 
task  running  under  the  abstract  operating  system  behaves  in  a  way  Identical  to  the  model  of  an  isolated 
task.  Second,  we  prove  foat  the  target  machine  running  foe  machine  code  version  of  foe  operating 
system  satisifies  foe  specificMion  given  by  foe  abstract  operating  system.  Composing  these  two  results 
(^es  us  the  theorem  that  the  operating  syMm  hnpiemsnls  isolated  tasks. 

The  verification  of  the  operating  system  is  nearly  complete.  WS  have  apecffied  al  three  layers  (task, 
abstract  operating  system,  and  target  machine)  In  Rose  (i.e.  the  Boyer-Moore  logic).  The  proof  that  the 
abstract  operating  system  Impierrients  Isolaled  tasks  is  oomplele.  The  proof  that  the  taiget  machine 
nmning  the  machine  cods  opting  system  Implemenls  the  abstract  opening  system  Is  nearly  oomplele. 
We  have  verMed  a  dock  Menupt  handtor,  an  error  trap  handtor,  and  foe  send  and  reoeiva  supwvisor 
services.  The  input  and  output  servioes  plus  foe  I/O  intenupt  handlers  remain  to  be  verified.  Verifying 
these  routines  should  pose  no  significani  new  problems. 


3^  Bytlamt  Programming  Language 

Our  sterns  proyamming  language  is  IMero  Gypsy”,  a  small  aubeet  of  Gypsy  oemparable  to  SmaR  C 
which  is  defined  formaly  in  {23, 151.  The  oompler  for  Micro  Gypsy  wB  be  verMed  in  Rose,  providing  a 
verffied  translaMon  Ink  between  foe  high  level  language  and  foe  asasmbly  fanguage  of  foe  target 
machine.  The  target  language  is  an  abstract  assenbiy  language  for  foe  FM8501,  the  mteroprecessor 
which  has  alM  been  vsrffied  in  Rose. 
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Micro  Gypsy  contains  a  la^e  part  of  the  sequential  component  of  Gypsy,  including  exception  handling. 
Principal  features  of  Gypsy  not  included  (at  present)  in  the  subset  are  dynamic  data  staictures, 
concurrency,  and  data  abstraction.  Early  experience  with  Micro  Gypsy  has  convinced  us  that  it  contains 
sufficient  functionality  to  code  many  of  the  examples  in  the  literature  of  full  Gypsy. 

The  compiler  for  Micro  Gypsy  is  being  written  in  Rose  (i.e.  the  Boyer-Moore  logic)  and  proven  in  the 
Rose  verification  system  (i.e.  the  Boyer-Moore  theorem  prover,  with  some  modifications).  Major 
components  of  the  compiler  and  its  specification  include  the  following. 

•  A  pre-processor  translates  from  Gypsy  syntax  into  a  LISP-like  prefix  syntax.  In  the  process 
it  eliminates  all  expression  evaluation  in  favor  of  calls  to  standard  Micro  Gypsy  procedures. 

•  A  recognizer  checks  the  output  of  the  pre-processor  for  acceptability  to  the  translation 
process.  The  recognizer  will  eventually  be  obviated  when  H  is  proven  that  the  pre-processor 
always  generates  acceptable  input  to  the  Micro  Gypsy  compiler. 

•  The  Micro  Gypsy  Interpreter  provides  an  operational  semantics  for  Micro  Gypsy.  Its  input 
is  a  program  in  p^ix  form  and  a  legal  Micro  Gypsy  state;  the  result  is  a  state. 

•  The  assembly  language  Interpreter  provides  an  analogous  operational  semantics  for  the 
target  language. 

•  The  translator  takes  as  input  a  legal  Micro  Gypsy  program  and  produces  a  semantically 
equivalent  program  in  the  assembly  language. 

•  Several  mapping  functions  translate  between  Micro  Gypsy  and  assembly  language  states. 

The  correctness  theorem  for  the  compiler  states  that  a  Micro  Gypsy  program  interpreted  on  a  legal  Micro 
Gypsy  state  is  semantically  equivalent  (under  the  mappings)  to  Hs  translated  version  interpreted  on  the 
corresponding  assembly  language  state.  The  formal  statement  of  the  theorem  and  more  discussion  are 
given  in  (4). 

The  following  progress  has  been  made  under  the  current  contract. 

1. A  complete  definition  of  Micro  Gypsy  was  formulated  and  documented  in  a  draft 
manual  [23].  Adcfitionally.  examples  of  the  use  of  Micro  Gypsy  were  devised  to  illustrate  the 
translation  of  Micro  Gypsy  syntax  to  the  abstract  prefbc  syntax  [24. 25]. 

2.  A  preprocessor  was  written;  details  are  given  in  the  next  subsection. 

3.  The  two  interpreters,  recognizer,  translator,  and  mapping  kinctions  were  each  written  as 
Rose  kinctions  for  the  oom^e  subset. 

4.  The  proof  of  correctness  was  begun. 

The  proof  strategy  which  we  evolved  was  to  verify  the  compiler  with  a  minimal  subset  of  the  language 
and  successively  add  features  unti  we  obtained  the  desired  functionality.  We  currently  have  a  proof  of  a 
very  simple  version  of  the  system  with  only  four  instnidions:  NO-OP,  SiONAL,  PR002.  and  LOOP,  and 
which  0^  allows  references  to  simple  variables.  This  has  given  us  an  enhanced  re^Mct  for  the 
complexity  of  the  task  which  remains,  but  also  a  wealth  of  insight  into  the  strategies  required  to  complete 
it.  We  envision  adding  the  instnictions  IF,  BEGW-WHEN,  and  PROC-CALL  and  adding  data  stnictures 
ARRAY  and  RECORD. 


3.4  Micro  Qypsy  Pareer 

A  parser  for  Micro  Qypsy  was  written  in  Rose.  In  the  context  of  the  previous  subsection,  this  is  the 
pmproeessor  for  translating  Micro  Qypsy  programs  into  a  Usp-Hte  syntax  which  is  recognized  by  the 
noogninr.  The  parser  converts  a  stiing  of  chwaclers,  rsprsMnting  a  mtero-Gypsy  program,  into  the 
form  expected  tv  the  micro-Gypsy  oompNer.  There  are  five  components: 

1.  The  reader  converts  a  charader  string  into  a  sequence  cf  tokens.  e.g..  numbers,  names, 
and  keywords. 
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2.  The  tree  eonelruelor  converts  a  sequence  of  tokens  into  a  tree  representation  of  the 
original  Gypsy  syntax.  This  component  marks  as  errors  tokens  that  do  not  fit  into  the  Gypsy 
syntax. 

3.  The  prefix  constructor  converts  the  Gypsy  syntax  tree  into  a  prefix  form  that  is  similar  to 
corner  input  and  is  more  convenient  for  subsequent  processing. 

4.  The  parser  proper  checks  that  the  Gypsy  tree  represents  a  legttimate  micro-Gypsy 
program,  marking  errors  such  as  type  inconsistencies  and  undefined  names.  This 
component  also  simplifies  some  Gypsy  constnjcts.  For  example,  it  converts  case 
statements  to  if  statements,  removes  expressions  from  actual  parameter  lists,  and  simplifies 
stnjctures  that  handle  exception  conditions. 

5.  The  final  component  flattens  the  Gypsy  namespace  stnjcture.  It  provides  a  single  list  of 
procedure  definitions,  which  are  no  longer  divided  into  Gypsy  scopes.  This  component  also 
constnjcts  a  type  table,  containing  fully  expanded  definitions  of  all  types  in  the  program. 

The  Rose  parser  was  modified  to  run  in  Lisp.  The  Lisp  version  was  tested  successfully  on  several 
micro-Gypsy  examples. 

There  was  some  progress  toward  proving  that  parser  output  is  acceptable  to  the  recognizer  for  micro- 
Gypsy  compiler  input.  This  work  was  centered  on  the  acceptability  of  the  type  table.  Specification 
functions  were  written  for  the  part  of  the  parser  relevant  to  type  table  constnjction.  A  paper  proof  that  the 
type  table  is  acceptable  to  the  recognizer,  on  the  assumption  that  the  parser  satisfies  its  specification,  is 
near  completion. 


3.S  Computer  Security 

Computer  security  certification  is  a  likely  immediate  beneficiary  of  our  work  on  Micro  Gypsy  and  Ava 
because  important  progress  that  is  now  being  made  in  u^ng  normal  Gypsy  software  proofs  nrethods  to 
prove  computer  security  [26]. 

A  non-interference  model  of  security  has  been  devised  and  proved  for  the  HoneyweR  SAT  system 
abstract  model  [26].  A  non-interference  model  for  the  low  water  mark  problem  was  specified  and  proved 
correct  both  in  Gypsy  and  Boyer-Moore  [18].  Ea^  version  had  advantages  and  disadvantages  and  we 
expect  to  explott  our  observations  made  in  [18]  in  designing  Rose. 


4  Proving  Functional  Systems 

Thus  far,  we  have  focused  primarily  on  Rose  as  a  logic  and  a  specification  language.  However,  Rose 
is  executable  and  can,  in  principle,  be  used  to  implement  systems.  We  imagine  Rose  eventually  being 
used  as  a  functional  programming  language.  The  primary  attraction  is  sim^idly:  both  hardware  and 
software  systems  can  be  specified,  irnplemented,  and  proved  in  a  single  fonnaRsm. 

We  are  expecting  the  computing  world  to  make  great  strides  in  finding  efficient  implementations  of 
functionai  languages.  Several  interesting  such  developments  have  already  been  taking  place  in  the  last 
few  years,  inducing  specialized  hatdeare  for  gn^  reduction  [21],  the  0-machine  im^mentation  on 
conventional  hardware  [17. 20],  and  oompHation  techniques  such  as  the  serial  oombinator  approach  [16]. 
The  seeming  potential  for  the  exploitation  of  concurrency  through  functional  languages  is  well  recognized, 
and  may  cause  a  breakthrough  in  performance.  However,  even  now,  there  are  important  applications 
(where  effideney  is  not  so  much  of  an  issue)  for  Rose  as  a  programming  language. 


4.1  Funetiont  m  Syttams 

We  have  proved  properties  of  cooperating  sequential  tendions  (a  simple  muRiplexor/demultiplexor 
system),  as  descrtbed  in  the  status  report  for  the  first  quarter  of  1985.  Some  theorems  were  also  proved 
about  a  version  of  the  0618  flow  modulator,  whose  Gypsy  version  is  desorbed  in[lO].  During  this 


\ 
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contracl.  however,  these  theorems  were  proved  In  Rose  (i.e.  with  the  Boyer>Moore  theorem  prover)  The 
Boyer-Moore  version  of  the  specification  is  more  abstract  than  the  Gypsy  version,  in  that  the  ir^xit  stream 
is  a  list  of  "messages".  Theorems  about  this  MFM  were  also  stated  that  are  much  stronger  than  the 
corresponding  (proved)  Gypsy  statements. 
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I.  ICS  Ttchnical  R«portt  tine«  January  1985 


TR# 

DaU 

Author 

Title  (some  abbreviated) 

59 

May  87 

KaufmanrV 

Young 

Comparing  Qypsy  and  the 

Boyer-Moore  Logic  for 

Specifying  Secure  Systems 

58 

Apr  87 

Shankar 

Proof-Checking  Metamathematics 

57 

Apr  87 

Kim 

On  AutomaiicaRy  Generating  and 

Using  Examples  in  a  Computationai 

Logic  System 

56 

Apr  87 

Kim 

Measure  Guessing;  On  Experimertt 
with  HypcMhesis  Generation  from 
ExamplM 

55 

Feb  87 

Boyer/Moore 

User's  Manual 

54 

Feb  87 

Bevier.  Hunt, 
and  Young 

Toward  Verified  Execution 

Enviionments 

53 

Dec  86 

Chou 

Methods  and  Examples  in  Meduinical 
Geometry  Theorem  Proving 

52 

Nov  86 

Boyer/Moore 

The  Adrftion  of  Bound  Quantifiers  and 
Partial  FuncUons  to  the  Boyer-Moore 

Logic  and  Iheorem  Prover 

51 

May  86 

Cohen 

Proving  Gypey  Programe 

50 

Jul86 

Chou 

Proving  Geometry  Theorems  Using  Wu’s 
Method 

49 

Dec  85 

Chou 

Proving  and  Discovering  Geometry 
Theorems  Using  WU’s  Method 

48 

Feb  86 

Good/Akers/ 

Smtth 

Report  on  Gypey  2.05 

47 

Dec  85 

Hunt 

FM8501 ;  A  Vertlied  Mictoprooeseor 

46 

Jan  85 

Kim 

EGS:  A  Transformational  Approach  to 
Automatic  Example  Generation 

45 

Jan  85 

Shankar 

A  Mechanical  Proof  of  the  Church-Rosser 
Theorem 

44 

Jan  85 

Boyar/Moort 

Megraling  Decision  Procedures 

Mo  HouriMic  Thtortm  Piovtra 
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II.  Inttmal  ICS  Notes  since  January  1985 

Note 

Number  Date  Author  Title  (some  abbreviated) 


237  Feb  87  Akers/  An  Introduction  to  the  NQTHM  Interpreter 

L.  Smith 

236  Feb  87  Kaufmann  A  Mechanically-checked  Semi-interactive 

Proof  of  Correctness  of  Gries’s 
Algorithm  for  Finding  the  Largest  Size 
of  a  Square  True  Submatrix 

235.234  Feb  87  K^mann  A  Primitive  User's  Manual  for  an 

interactive  Version  of  the  Boyer-Moore 
Theorem-Prover  (Parts  1  &  2) 

233  DRAFT  Siebert/  Internal  Represer^ation  of 

Akers  Micro-Gypsy 

232  Nov  86  L  Smith  THM  Mode 

231  Oct  86  Young  A  Qumm  Package  in  Micro-Gypsy 

230  Oct  86  Akers  A  Design  for  NQTHM  Interpreter 

229  Oct  86  Kaufmartn  *NQTKS/r  Version  of  Boyer-Moore 

228  Oct  86  L.  Smith  Backup 

227  Sep  86  Good  FoundMions 

226  Sep  86  Akers  Gypsy  2.1  Predefined  Function  and 

Statement  Decriplions 

225  Sep  86  Akers  Justification  lor  the  New-GVE  Implementation 

224  Sep  86  Akers  JustVicalionlortheQypey  2.05  Dialect 

223  Sep  86  Akers  A  Proposid  for  Revising  Gypsy  Hold  Spec 

Requirsfnents 

222  Sep  86  Akers  Iniemal  Repteieniatlon  of  Executable 

Micro  Gypi^ 

221  Aug  86  Good  The  Formal  Definition  of  Micro  Gypsy 

220  Aug  86  Bevier  The  Correctness  of  a  Sma»  Operating  System 

219  Jui86  Akers  Discussions  of  QVE  AMemation  Causes 

218  Jun86  Young  The  Semantics  of  Micro  Gypsy 

217  Jun86  Young  Momsr's  Algorfihm  in  Micro  Gypsy 

216  Jun86  Young  A  Recognizer  for  Micro  Gyp^ 

215  May  86  Akers  Ths  White  Rose  WiridOMr  Interface 

214  May86  Good  ORAFT-ln  Support  of  THM 

213  Apr  86  Young  Proofs 

212  Apr  86  Yourtg  The  Low  Water  Mark  Problem  Using  Norvinterf. 

211  Apr86  Young  The  Factorial  Example 

210  Jan86  Bevier/  On  the  Wel-Definedness  of  Gypsy  Expressions 

Cohen 

209  Jan  86  Akers  Gypsy  Data  Abetracfion 

208  Jan86  LSmHh  OypsyOWsct 

207  Dec  85  Good  Rm  Developmant  System 

206  Dec85  Good  The  Rose  Function  Space 

205  Dec  85  Good  Bootstrapping  Techniques 

204  Oct85  Good  UspinRcM 

203  Oct85  Good  Rose84 

202  Jan  86  B.  Young  Gypsy  Paginator 

201  Nov  85  LSmKh  In  Zmaca 

200  OctM  MSmlth  Repsonaes  to  Gypsy  Cftiques 

100  Oct  85  draft  Akers  Gy^  2.0  G^  Implemenlation 

Variances;  10-Oct-85 
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198 

Sep  85 

Akers 

The  Automated  GVE  Testbed 

197 

Oct  85  draft  Good 

Proving  Computing  Systems  in  Ada 

196 

Sep  85 

Akers 

Sug  Tracking  Procedures 

195 

Sep  85 

Akers 

Impiementation  Proposals  for  Abstract  Equality 

194 

Sep  85 

LSmith 

Gypsy  IrrterfaM  with  TSV05  Magtape 

193 

Sep  85 

Good/ 

M.Smith 

Software  Verification  in  Gypsy 

192 

Sep  85 

Good/ 

McHugh 

Information  Flow  Tool  for  Gypsy 

191 

Sep  85 

Good.. 

Building  Software  Economically 
with  Mechanized  Logic 

190 

Aug  85 

Cohen 

New  GVE  Fite  Directories 

189 

Aug  85 

L.Smith 

Burning  Gypsy  programs  into  PROM 

188 

Sep  85 

Good 

Notes  on  Revised  SPECIAL  and  ENHANCED  HDM 

187 

Jul85 

Sevier 

The  Multics  Maclisp  Version  of  the  GVE 

186 

Jun  85  TBD  Young 

Security  in  an  Abstract  Setting 

185 

Oct  85 

Good 

Proof  of  Ordered  Search 

184 

Jun  85 

Good 

Gypsy  Ordered  Search 

183 

Oct  85 

Good 

Proof  of  Linear  Search 

182 

Jun  85 

Good 

Gypsy  Linear  Search 

181 

Sep  85 

Good 

Proof  of  Object  Array  Theory 

180 

Jun  85 

Good 

Gypsy  Ot^ect  Array  Theory 

179 

Sep  85 

Good 

Proof  of  Ordered  Object  Theory 

178 

Jun  85 

Good 

Gypsy  Ordered  Object  Theory 

177 

Jun  85 

Good 

Proof  of  Two  Channel  Mover  II 

176 

Jun  85 

Good 

Gypsy  Two  Channel  Mover  II 

175 

Oct  85 

Good 

Proof  of  Two  Channel  Mover  1 

174 

Jun  85 

Good 

Gypsy  Two  Channel  Mover  1 

173 

Jun  85 

Good 

Proof  of  Carrier  Connection 

172 

Jun  85 

Good 

Gypsy  Carrier  Connection 

171 

Jun  85 

Akers 

Com^rison  of  FORMAT  directives 

170 

Sep  85 

Good 

DRAFT  Notes  on  FDM 

170 A 

Sep  85 

Good 

Notes  on  FDM 

169 

Sep  85 

Good 

Notes  on  Affirm 

168 

May  85 

Good 

Gypsy  10  without  Buffets 

167 

Apr  85 

Good 

Micro  Filter:  Variation  «4 

166 

Apr  85 

Good 

Micro  Filler:  Variation  «3 

165 

Apr  85 

Good 

Micro  Filter:  Variation  #2 

164 

Apr  85 

Good 

Micro  Filter:  Variation  #1 

163 

Feb  85 

Sevier 

Symbol  Table  Proofs 

162 

Feb  85 

Sevier 

Saddle  Back  Search 

161 

Feb  85  draft  Good.. 

KAIS  FEU  Issues 

160 

Feb  85 

Good 

RSRE  Crypto  Controller 

159 

Jan  85 

M.Smfth 

Low  Water  Mark:  Simple  Version 

158 

Jan  85 

M.Smilh 

Low  Water  Mark  Using  Abstract  Data  Type  Logs 
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